hs_descriptor.h 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346
  1. /* Copyright (c) 2016-2018, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /**
  4. * \file hs_descriptor.h
  5. * \brief Header file for hs_descriptor.c
  6. **/
  7. #ifndef TOR_HS_DESCRIPTOR_H
  8. #define TOR_HS_DESCRIPTOR_H
  9. #include <stdint.h>
  10. #include "core/or/or.h"
  11. #include "trunnel/ed25519_cert.h" /* needed for trunnel */
  12. #include "feature/nodelist/torcert.h"
  13. /* Trunnel */
  14. struct link_specifier_t;
  15. /* The earliest descriptor format version we support. */
  16. #define HS_DESC_SUPPORTED_FORMAT_VERSION_MIN 3
  17. /* The latest descriptor format version we support. */
  18. #define HS_DESC_SUPPORTED_FORMAT_VERSION_MAX 3
  19. /* Default lifetime of a descriptor in seconds. The valus is set at 3 hours
  20. * which is 180 minutes or 10800 seconds. */
  21. #define HS_DESC_DEFAULT_LIFETIME (3 * 60 * 60)
  22. /* Maximum lifetime of a descriptor in seconds. The value is set at 12 hours
  23. * which is 720 minutes or 43200 seconds. */
  24. #define HS_DESC_MAX_LIFETIME (12 * 60 * 60)
  25. /* Lifetime of certificate in the descriptor. This defines the lifetime of the
  26. * descriptor signing key and the cross certification cert of that key. It is
  27. * set to 54 hours because a descriptor can be around for 48 hours and because
  28. * consensuses are used after the hour, add an extra 6 hours to give some time
  29. * for the service to stop using it. */
  30. #define HS_DESC_CERT_LIFETIME (54 * 60 * 60)
  31. /* Length of the salt needed for the encrypted section of a descriptor. */
  32. #define HS_DESC_ENCRYPTED_SALT_LEN 16
  33. /* Length of the KDF output value which is the length of the secret key,
  34. * the secret IV and MAC key length which is the length of H() output. */
  35. #define HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN \
  36. CIPHER256_KEY_LEN + CIPHER_IV_LEN + DIGEST256_LEN
  37. /* Pad plaintext of superencrypted data section before encryption so that its
  38. * length is a multiple of this value. */
  39. #define HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE 10000
  40. /* Maximum length in bytes of a full hidden service descriptor. */
  41. #define HS_DESC_MAX_LEN 50000 /* 50kb max size */
  42. /* Key length for the descriptor symmetric encryption. As specified in the
  43. * protocol, we use AES-256 for the encrypted section of the descriptor. The
  44. * following is the length in bytes and the bit size. */
  45. #define HS_DESC_ENCRYPTED_KEY_LEN CIPHER256_KEY_LEN
  46. #define HS_DESC_ENCRYPTED_BIT_SIZE (HS_DESC_ENCRYPTED_KEY_LEN * 8)
  47. /* Length of each components in the auth client section in the descriptor. */
  48. #define HS_DESC_CLIENT_ID_LEN 8
  49. #define HS_DESC_DESCRIPTOR_COOKIE_LEN 16
  50. #define HS_DESC_COOKIE_KEY_LEN 32
  51. #define HS_DESC_COOKIE_KEY_BIT_SIZE (HS_DESC_COOKIE_KEY_LEN * 8)
  52. #define HS_DESC_ENCRYPED_COOKIE_LEN HS_DESC_DESCRIPTOR_COOKIE_LEN
  53. /* The number of auth client entries in the descriptor must be the multiple
  54. * of this constant. */
  55. #define HS_DESC_AUTH_CLIENT_MULTIPLE 16
  56. /* Type of authentication in the descriptor. */
  57. typedef enum {
  58. HS_DESC_AUTH_ED25519 = 1
  59. } hs_desc_auth_type_t;
  60. /* Link specifier object that contains information on how to extend to the
  61. * relay that is the address, port and handshake type. */
  62. typedef struct hs_desc_link_specifier_t {
  63. /* Indicate the type of link specifier. See trunnel ed25519_cert
  64. * specification. */
  65. uint8_t type;
  66. /* It must be one of these types, can't be more than one. */
  67. union {
  68. /* IP address and port of the relay use to extend. */
  69. tor_addr_port_t ap;
  70. /* Legacy identity. A 20-byte SHA1 identity fingerprint. */
  71. uint8_t legacy_id[DIGEST_LEN];
  72. /* ed25519 identity. A 32-byte key. */
  73. uint8_t ed25519_id[ED25519_PUBKEY_LEN];
  74. } u;
  75. } hs_desc_link_specifier_t;
  76. /* Introduction point information located in a descriptor. */
  77. typedef struct hs_desc_intro_point_t {
  78. /* Link specifier(s) which details how to extend to the relay. This list
  79. * contains hs_desc_link_specifier_t object. It MUST have at least one. */
  80. smartlist_t *link_specifiers;
  81. /* Onion key of the introduction point used to extend to it for the ntor
  82. * handshake. */
  83. curve25519_public_key_t onion_key;
  84. /* Authentication key used to establish the introduction point circuit and
  85. * cross-certifies the blinded public key for the replica thus signed by
  86. * the blinded key and in turn signs it. */
  87. tor_cert_t *auth_key_cert;
  88. /* Encryption key for the "ntor" type. */
  89. curve25519_public_key_t enc_key;
  90. /* Certificate cross certifying the descriptor signing key by the encryption
  91. * curve25519 key. This certificate contains the signing key and is of type
  92. * CERT_TYPE_CROSS_HS_IP_KEYS [0B]. */
  93. tor_cert_t *enc_key_cert;
  94. /* (Optional): If this introduction point is a legacy one that is version <=
  95. * 0.2.9.x (HSIntro=3), we use this extra key for the intro point to be able
  96. * to relay the cells to the service correctly. */
  97. struct {
  98. /* RSA public key. */
  99. crypto_pk_t *key;
  100. /* Cross certified cert with the descriptor signing key (RSA->Ed). Because
  101. * of the cross certification API, we need to keep the certificate binary
  102. * blob and its length in order to properly encode it after. */
  103. struct {
  104. uint8_t *encoded;
  105. size_t len;
  106. } cert;
  107. } legacy;
  108. /* True iff the introduction point has passed the cross certification. Upon
  109. * decoding an intro point, this must be true. */
  110. unsigned int cross_certified : 1;
  111. } hs_desc_intro_point_t;
  112. /* Authorized client information located in a descriptor. */
  113. typedef struct hs_desc_authorized_client_t {
  114. /* An identifier that the client will use to identify which auth client
  115. * entry it needs to use. */
  116. uint8_t client_id[HS_DESC_CLIENT_ID_LEN];
  117. /* An IV that is used to decrypt the encrypted descriptor cookie. */
  118. uint8_t iv[CIPHER_IV_LEN];
  119. /* An encrypted descriptor cookie that the client needs to decrypt to use
  120. * it to decrypt the descriptor. */
  121. uint8_t encrypted_cookie[HS_DESC_ENCRYPED_COOKIE_LEN];
  122. } hs_desc_authorized_client_t;
  123. /* The encrypted data section of a descriptor. Obviously the data in this is
  124. * in plaintext but encrypted once encoded. */
  125. typedef struct hs_desc_encrypted_data_t {
  126. /* Bitfield of CREATE2 cell supported formats. The only currently supported
  127. * format is ntor. */
  128. unsigned int create2_ntor : 1;
  129. /* A list of authentication types that a client must at least support one
  130. * in order to contact the service. Contains NULL terminated strings. */
  131. smartlist_t *intro_auth_types;
  132. /* Is this descriptor a single onion service? */
  133. unsigned int single_onion_service : 1;
  134. /* A list of intro points. Contains hs_desc_intro_point_t objects. */
  135. smartlist_t *intro_points;
  136. } hs_desc_encrypted_data_t;
  137. /* The superencrypted data section of a descriptor. Obviously the data in
  138. * this is in plaintext but encrypted once encoded. */
  139. typedef struct hs_desc_superencrypted_data_t {
  140. /* This field contains ephemeral x25519 public key which is used by
  141. * the encryption scheme in the client authorization. */
  142. curve25519_public_key_t auth_ephemeral_pubkey;
  143. /* A list of authorized clients. Contains hs_desc_authorized_client_t
  144. * objects. */
  145. smartlist_t *clients;
  146. /* Decoding only: The b64-decoded encrypted blob from the descriptor */
  147. uint8_t *encrypted_blob;
  148. /* Decoding only: Size of the encrypted_blob */
  149. size_t encrypted_blob_size;
  150. } hs_desc_superencrypted_data_t;
  151. /* Plaintext data that is unencrypted information of the descriptor. */
  152. typedef struct hs_desc_plaintext_data_t {
  153. /* Version of the descriptor format. Spec specifies this field as a
  154. * positive integer. */
  155. uint32_t version;
  156. /* The lifetime of the descriptor in seconds. */
  157. uint32_t lifetime_sec;
  158. /* Certificate with the short-term ed22519 descriptor signing key for the
  159. * replica which is signed by the blinded public key for that replica. */
  160. tor_cert_t *signing_key_cert;
  161. /* Signing public key which is used to sign the descriptor. Same public key
  162. * as in the signing key certificate. */
  163. ed25519_public_key_t signing_pubkey;
  164. /* Blinded public key used for this descriptor derived from the master
  165. * identity key and generated for a specific replica number. */
  166. ed25519_public_key_t blinded_pubkey;
  167. /* Revision counter is incremented at each upload, regardless of whether
  168. * the descriptor has changed. This avoids leaking whether the descriptor
  169. * has changed. Spec specifies this as a 8 bytes positive integer. */
  170. uint64_t revision_counter;
  171. /* Decoding only: The b64-decoded superencrypted blob from the descriptor */
  172. uint8_t *superencrypted_blob;
  173. /* Decoding only: Size of the superencrypted_blob */
  174. size_t superencrypted_blob_size;
  175. } hs_desc_plaintext_data_t;
  176. /* Service descriptor in its decoded form. */
  177. typedef struct hs_descriptor_t {
  178. /* Contains the plaintext part of the descriptor. */
  179. hs_desc_plaintext_data_t plaintext_data;
  180. /* The following contains what's in the superencrypted part of the
  181. * descriptor. It's only encrypted in the encoded version of the descriptor
  182. * thus the data contained in that object is in plaintext. */
  183. hs_desc_superencrypted_data_t superencrypted_data;
  184. /* The following contains what's in the encrypted part of the descriptor.
  185. * It's only encrypted in the encoded version of the descriptor thus the
  186. * data contained in that object is in plaintext. */
  187. hs_desc_encrypted_data_t encrypted_data;
  188. /* Subcredentials of a service, used by the client and service to decrypt
  189. * the encrypted data. */
  190. uint8_t subcredential[DIGEST256_LEN];
  191. } hs_descriptor_t;
  192. /* Return true iff the given descriptor format version is supported. */
  193. static inline int
  194. hs_desc_is_supported_version(uint32_t version)
  195. {
  196. if (version < HS_DESC_SUPPORTED_FORMAT_VERSION_MIN ||
  197. version > HS_DESC_SUPPORTED_FORMAT_VERSION_MAX) {
  198. return 0;
  199. }
  200. return 1;
  201. }
  202. /* Public API. */
  203. void hs_descriptor_free_(hs_descriptor_t *desc);
  204. #define hs_descriptor_free(desc) \
  205. FREE_AND_NULL(hs_descriptor_t, hs_descriptor_free_, (desc))
  206. void hs_desc_plaintext_data_free_(hs_desc_plaintext_data_t *desc);
  207. #define hs_desc_plaintext_data_free(desc) \
  208. FREE_AND_NULL(hs_desc_plaintext_data_t, hs_desc_plaintext_data_free_, (desc))
  209. void hs_desc_superencrypted_data_free_(hs_desc_superencrypted_data_t *desc);
  210. #define hs_desc_superencrypted_data_free(desc) \
  211. FREE_AND_NULL(hs_desc_superencrypted_data_t, \
  212. hs_desc_superencrypted_data_free_, (desc))
  213. void hs_desc_encrypted_data_free_(hs_desc_encrypted_data_t *desc);
  214. #define hs_desc_encrypted_data_free(desc) \
  215. FREE_AND_NULL(hs_desc_encrypted_data_t, hs_desc_encrypted_data_free_, (desc))
  216. void hs_desc_link_specifier_free_(hs_desc_link_specifier_t *ls);
  217. #define hs_desc_link_specifier_free(ls) \
  218. FREE_AND_NULL(hs_desc_link_specifier_t, hs_desc_link_specifier_free_, (ls))
  219. hs_desc_link_specifier_t *hs_desc_link_specifier_new(
  220. const extend_info_t *info, uint8_t type);
  221. void hs_descriptor_clear_intro_points(hs_descriptor_t *desc);
  222. MOCK_DECL(int,
  223. hs_desc_encode_descriptor,(const hs_descriptor_t *desc,
  224. const ed25519_keypair_t *signing_kp,
  225. const uint8_t *descriptor_cookie,
  226. char **encoded_out));
  227. int hs_desc_decode_descriptor(const char *encoded,
  228. const uint8_t *subcredential,
  229. const curve25519_secret_key_t *client_auth_sk,
  230. hs_descriptor_t **desc_out);
  231. int hs_desc_decode_plaintext(const char *encoded,
  232. hs_desc_plaintext_data_t *plaintext);
  233. int hs_desc_decode_superencrypted(const hs_descriptor_t *desc,
  234. hs_desc_superencrypted_data_t *desc_out);
  235. int hs_desc_decode_encrypted(const hs_descriptor_t *desc,
  236. const curve25519_secret_key_t *client_auth_sk,
  237. hs_desc_encrypted_data_t *desc_out);
  238. size_t hs_desc_obj_size(const hs_descriptor_t *data);
  239. size_t hs_desc_plaintext_obj_size(const hs_desc_plaintext_data_t *data);
  240. hs_desc_intro_point_t *hs_desc_intro_point_new(void);
  241. void hs_desc_intro_point_free_(hs_desc_intro_point_t *ip);
  242. #define hs_desc_intro_point_free(ip) \
  243. FREE_AND_NULL(hs_desc_intro_point_t, hs_desc_intro_point_free_, (ip))
  244. void hs_desc_authorized_client_free_(hs_desc_authorized_client_t *client);
  245. #define hs_desc_authorized_client_free(client) \
  246. FREE_AND_NULL(hs_desc_authorized_client_t, \
  247. hs_desc_authorized_client_free_, (client))
  248. link_specifier_t *hs_desc_lspec_to_trunnel(
  249. const hs_desc_link_specifier_t *spec);
  250. hs_desc_authorized_client_t *hs_desc_build_fake_authorized_client(void);
  251. void hs_desc_build_authorized_client(const uint8_t *subcredential,
  252. const curve25519_public_key_t *
  253. client_auth_pk,
  254. const curve25519_secret_key_t *
  255. auth_ephemeral_sk,
  256. const uint8_t *descriptor_cookie,
  257. hs_desc_authorized_client_t *client_out);
  258. void hs_desc_plaintext_data_free_contents(hs_desc_plaintext_data_t *desc);
  259. void hs_desc_superencrypted_data_free_contents(
  260. hs_desc_superencrypted_data_t *desc);
  261. void hs_desc_encrypted_data_free_contents(hs_desc_encrypted_data_t *desc);
  262. #ifdef HS_DESCRIPTOR_PRIVATE
  263. /* Encoding. */
  264. STATIC char *encode_link_specifiers(const smartlist_t *specs);
  265. STATIC size_t build_plaintext_padding(const char *plaintext,
  266. size_t plaintext_len,
  267. uint8_t **padded_out);
  268. /* Decoding. */
  269. STATIC smartlist_t *decode_link_specifiers(const char *encoded);
  270. STATIC hs_desc_intro_point_t *decode_introduction_point(
  271. const hs_descriptor_t *desc,
  272. const char *text);
  273. STATIC int encrypted_data_length_is_valid(size_t len);
  274. STATIC int cert_is_valid(tor_cert_t *cert, uint8_t type,
  275. const char *log_obj_type);
  276. STATIC int desc_sig_is_valid(const char *b64_sig,
  277. const ed25519_public_key_t *signing_pubkey,
  278. const char *encoded_desc, size_t encoded_len);
  279. MOCK_DECL(STATIC size_t, decrypt_desc_layer,(const hs_descriptor_t *desc,
  280. const uint8_t *encrypted_blob,
  281. size_t encrypted_blob_size,
  282. const uint8_t *descriptor_cookie,
  283. int is_superencrypted_layer,
  284. char **decrypted_out));
  285. #endif /* defined(HS_DESCRIPTOR_PRIVATE) */
  286. #endif /* !defined(TOR_HS_DESCRIPTOR_H) */